O2 apologises for mobile web privacy flaw

O2 has said that it has "fixed" a security flaw which shared the phone numbers of its mobile users with websites they visited.

The mobile carrier was at the centre of a Twitter storm today after it emerged that the firm had been transparently sharing phone numbers within the HTTP headers sent to websites, which display information on web access details. It is understood that this only occurred over 3G and not WiFi.

There were concerns that malicious operators could have accessed the personal information for commercial - or even criminal - gain.

In a blog post this afternoon, O2 apologised to its mobile phone network users and said that it has "identified and fixed" the flaw.

"Security is of the utmost importance to us and we take the protection of our customers' data extremely seriously," said the mobile operator.

"We have seen the report published this morning suggesting the potential for disclosure of customers' mobile phone numbers to website owners.

"We investigated, identified and fixed it this afternoon. We would like to apologise for the concern we have caused."

The mobile carrier also published more information on what happened, claiming that only "trusted partners" were usually shown technical information containing a user's mobile phone number.

"When you browse from an O2 mobile, we add the user's mobile number to this technical information, but only with certain trusted partners," said O2.

"This is standard industry practice. We share mobile numbers with selected trusted partners for three reasons: 1) to manage age verification, which manages access to adult content, 2) to enable third party content partners to bill for premium content such as downloads or ring tones that the customer has purchased, 3) to identify customers using O2 services, such as My O2 and Priority Moments. This only happens over 3G and WAP data services, not WiFi."

However, O2 confirmed that any customers who accessed the mobile internet over 3G or WAP since January 10 have been at risk of the potential disclosure of their mobile phone number "to further website owners", and not just trusted partners.

The mobile operator, owned by Spanish telecoms giant Telefonica, said that the error occurred due to "technical changes" implemented as part of routine maintenance, which "had the unintended effect of making it possible in certain circumstances for website owners to see the mobile numbers of those browsing their site".

O2 said that the problem was fixed at 2pm today, and insisted that it will now only share customer mobile numbers with "trusted partners who work with [them] on age verification, premium content billing, such as for downloads, and O2's own services".

The Information Commissioner has already confirmed plans to investigate the error, and O2 said that it is in contact with his office and is "co-operating fully". The company confirmed that it has also contacted media regulator Ofcom about the incident.

O2's response has been met with a mixed reaction online.

Responding to the blog post, someone called Richard Wilson said: "Full and quick response, well done. Sadly you should have been aware of this two weeks ago."

Another user asked: "How can you claim it was selected trusted third parties when the site reporting this issue lew.io/headers.php had no affiliation with O2, and being a webmaster myself tested this on my site and I am not a trusted partner?"

Posting on O2's Twitter feed, Ben Garrett wrote: "So O2 seem to be ignoring all the calls to release a list of these 'trusted partners'. The ostrich approach it would seem."

Martin Hewitt added: "If these people are your trusted partners, why can't you share an encryption system instead of sending a unique ID in the clear?!"